
Diagram 5 — Managed Firewall Service with CoSine's Network-based Solution 




POP Infrastructure 

The POP access infrastructure in the network-based managed firewall service model 
is based on the CoSine Communications IPSX 9000 Service Processing Switch. The 
base configuration for the switch includes: 

■ 26-slot chassis 

■ Redundant power supply 

■ IPNOS Base Software 

■ Ring Bridge & Ring Bridge Pass-Thru (to complete midplane) 

■ Control Blade (for communications with InVision Services Management System) 

■ Dual-port Channelized DS3 Access Blade 

■ Dual-port Unchannelized DS3 Access Blades 

■ Processor Blade 

■ OC-3c POS Trunk Blade 

The following tables analyze the cost structure of all of the above models and 
projects these costs out over 5 years: 
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Object Channels 



Object Channels 



Figur^ Object Manager Layers 



IPSX object database consists of two types of database: Global, managed on Master Control 
Blade by OMORIG and distributed local databases, managed by OMORI agents on every PE 
present in the system. Global database is a superset of the extracts from local databases. 

2.2. Object 

Objects represent a basic unit of management for purposes of fault tolerance, computational load 
balancing etc. One or more adjacent protocol modules can be placed into a single object. It is 
also possible that a module is split across two objects. 
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2.3. Group 

Group is an aggregation point for all objects that comprises the VR. Group and VR have one-to- 
one mapping. A Group encompasses objects, which are located in different address spaces. 
Group Id, which identifies a group, is unique in the scope of a single IPSX system. 

2.4. Object Class 

Figure fe shows the distinction between an Object Class and an Object Group. Both are 
collections of objects. As shown in Figure 2, an object class is a set of objects that have the same 
type signature and behavior (e.g. Applications Class, TCP/IP Class and Interfaces Class). In 
contrast, for an object group, the constituent objects do not necessarily have the same type 
signature and behavior (e.g. Object Groups 1 to 3). There can be multiple objects of the same 
class in an object group (e.g. Object Group 2 has two objects of Interface Class). On the other 
hand, an object group need not have an object of each class (e.g. Object Group 3 does not have 
an object of Interface Class). 




2.5. OMCD and OMORIG 

OMCD is the agent, which interfaces to the Configuration Manager. As shown on Figure 3 
OMCD manages 

• Global list of VPN in the IPSX system 

• List ofVRs per VPN 

The caveats for VPN and VRs are: 

- VPN ID equal to 0 is illegal; 

Global uniqueness of VPN ID across IPSX systems is the responsibility of the Service 
Management System (SMS). 
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Figure g?/)MCD and OMORIG Database maps. 

OMCD creates vpn descriptor every time when Configuration managers request VPN creation. 
Every VPN is identified by unique VPN ID. 

Virtual Router (VR) is identified by VR ID, which is the IP Address of the VR. VR ID is unique 
in the VPN context. When Configuration Manager requests creation of an existing VR in the 
VPN, VR creation request is rejected. Otherwise vr descriptor will be created. 

There are several types of the VR: 

• ISP (Internet Service Provider) VR: Typically there is 1 such VR for a single IPSX. 

• Control VR: There can be only one Control VR for a single IPSX. This VR is used to host 
the management applications such as SNMP, Telnet etc. 

• Customer VR: There are several Customer VRs in a single IPSX. Typically, there is 1 
Customer VR per customer service point. ^J^^ 

Detailed VR creation process is described i 

OMORIG agent runs on every Control Blade, whether it is Master or Standby Blade. OMORI 
local sends the change only to Master. Control Blade Redundancy feature, described in [4] takes 
care of replicating and synchronizing OMORIG database from Master to Standby. 

OMORIG Object ID Links 

OMORIG provides several mappings of Object Ids. It manages list of object Ids, which 

• Are located on the same address space. 

• Belong to the same group 

• Sorted Global object ID list 

• Unsorted Global object ID list 
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Figure V. Object State Machine 



. OM as a DML Application 

Distributed Messaging Layer (DML) is used to provide inter-processor communication and 
isolated channels for data and control messages. Detailed explanation on DML can be found in 
[3]. OMORIG and OMORI communicate via predefined DML channel DMLCHANDATA. 
All IPNOS nodes in the system are members of DML CHAN DATA. During initialization 
process OMORI register to DML receive function, which will be called every time a new packet 
arrives on DML_CHAN_DATA. OMORIG and OMORI are DML applications and therefore 
they are notified on every dynamic event in the system. 




Figure^ OM modules in the IPNOS. 

1. Dynamic events 

There are four types of dynamic events indicated by DML. These are: 

• Peer Up - new IPNOS node detected and reachable. 

• Peer Down - existing IPNOS node became unreachable 

• Master Up - new Master elected in the system 

• Master Down - existing Master became unreachable 

On peer down event OMORI agent aborts all the pending transactions associated with the peer, 
which went down. I 
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3.1.2. OMORIG 

On peer down event OMORIG destroys in its database all the objects, which are local to peer 
which went down. After that a scrub of the database is done. This includes destroying all groups, 
which do not have any objects in them and destroying VR associated with the group.. 

On peer up event and master up event OMORIG agent runs global database update protocol 
described in the section 3.1.3. 
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3.1.3. Update protocol 

On peer up event OMORIG agent initiates a database update for local objects of the new peer. 
OMORIG maintains state machine per OMORI. Global Database Update State Transition 
Diagram is shown in Figure 8 and a detailed description of the transitions is in Table 2. 
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Figured Global database Update State Machine 



STATE 


EVENT 


ACTION 


START 


TIMEOUT && (request count < 
MAX) 


Send update request 


START 


TIMEOUT && (request count > 
MAX) 


Peer did not reply. Update FAILED 
Transit to FINISH state. 


START 


RECV UPDATE GROUP message 


Transit to UPDATE GROUP state. 
Set last update equal to the current 
time. 


START 


RECV UPDATE OBJECT message 


Transit to UPDATE OBJECT state. 
Set last update equal to the current 
time. 
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4. Objects: Creation and Inter Communication 
4.1. Overview 

In Figure 9 the communication for object creation is shown. IP object with OID 1 requests 
Firewall object to be created. OM creates object descriptor and based on the specified class of 
the object (e.g. Firewall), OM finds the appropriate constructor function in the object class table 
and constructs the new object. The same algorithm is used for management communications 
between objects (IOCTL). Based on the class id of the destination object appropriate control 
function from the object class table is called. It is the responsibility of the object implemented is 
to supply handlers for all supported IOCTLs. 



The IOCTL mechanism is described in section 4.3. Typically IOCTL between objects is used for 
Management Plane communications. For Data Plane communications between objects, object to 
object channels are used. Object channels are described in the section 4.5. 

4.2. Creation 

Objects can be created in three different ways: 

• REGISTERED: Created as system comes up (e.g. drivers) and registered to the OMORI 
with object id, having physical location meaning. 

• CREATED BY OM: Created by Object Manager. In this case OMORI creates a locally 
unique (in the scope of this address space) object ID that in conjunction with address space 
id gives unique object id inside of the system. To create an object, the constructor function 
based on the object class will be called. 



Class Table 




Figure^ Object Creation and Communication. 
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Figure XT Object Channels: Connecting CEPs in same address space 
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Figure 1^: Object Channels: Pushing service on Transmit side of Object-1 
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Figure l^Object Channels: Pushing service on Receive side of Object-1 
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Step 


Local CEP 
Object 


Local IPNOS 


Local RM/LQ 


Remote RMI 
LQ 


Remote IPNOS 


Remote CEP 
Object 


1 


objassocia 
fce channel ( 
local_chan, 
local cep i 
d, 

remote cep 
id) 












2 




/* Allocate 
remote LQ */ 

resmng_alloc_ 
resource 
(RESOURCE 
DATA CON 
NECTION, 0, 
remote_cep_id 
-> 

object.address 

_space_id ? 

&remote_lq) 










3 








Lookup 
resource tag 
and allocate 
from remote 
LQ 






4 




/* Ask remote 
LQ to allocate 
local LQ */ 

status = 
omori_obj_ioc 
tl_by_id 
(&remote_lq, 

remote_lq.gro 
up, 

OBJ CTL C 
ODE ANY 
(LQUSER BI 
ND), 

&lq_bind, 

sizeof 
(lq_bind)); 

memcpy 
(&local lq, 
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&lq_bind.lq_o 

bject.local, 

sizeof 

(object_id_t)); 










5 








Use 

resmng_alloc_r 
esource() to 
allocate local 
LQ 






6 






Lookup 
resource tag 
and allocate 
from local LQ 
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Return 

allocated local 
LQ 
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/* Bind Local 
and Remote 
LQs */ 

status = 
omori_obj_ioc 
tl_by_id 
(&local_lq, 

locallq.group 

9 

OBJ CTL C 
ODE_ANY 
fLOUSER BI 
ND), 

&lq_bind, 

sizeof 
(lq_bind)); 










9 






Setup LQ-API 
parameters to 
point to remote 
LQ 


Setup LQ-API 
parameters to 
point to local 
LQ 
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/* Push local 
LQ as a service 
onto local 
channel */ 

status = 
omori_obj_ioc 
tl by id 
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(&local_lq, 
local_lq.group 

OBJ CTL C 
ODE_ANY 
(XOUSER BI 
ND), 

sizeof 
(lq_bind)); 










11 


Lookup CEP 
address 
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/* Push remote 
LQ as a service 
onto remote 
channel */ 

status = 
omoriobjioc 
tl_by_id 
(&remote_lq, 

remote_lq.gro 
up, 

OBJ CTL C 
ODE_ANY 
fLOUSER BI 
ND), 

Ri\c\ hind 

sizeof 
(lq_bind)); 
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Figure 13: Object Channels: Connecting CEPs in different address spaces by Remote Channel 
1 1 Service 



Jc! 



3 

□ 



n 

Fi 



CoSine Communications 



Page 26 



2 




Create group 1; create 
object id link of selected 
class. Validate address 

cncjpp iH rxn f*H"n5*nilitv to 

service specified object 
class. Send request 
CREATE OBJECT to 
capable OMORI (2). Wait 
for OMORI reply. 






3 






Receive 

CREATEOBJECT 
request for specified 
ptoiit) T noVirn a 
group; not found. 
Create group 1; Create 
object descriptor of 
selected class. Call the 
class constructor. 




4 




Receive 

MV_OBJ_TO_GROUP 
request; add object id to 
OMORIG Database 


add object to the 
group, send 
MV_OBJ_TO_GROU 
P request to OMORIG 




5 








Create and 
initialize an 
object; return 
SUCCESS or 
FAILURE. 


6 






If FAILURE remove 
object from the group, 
send 

MV_OBJ_TO_GROU 
P and 
RMOBJFROMGR 
OUr to OMOKJCj; 

Else send reply for 
CREATEOBJECT 
request to OMORIG 




7 




Receive 

MV_OBJ_TO_GROUP 
request, move object to the 
group 

0(OM_BASE_GROUP); 
Receive 

RM_OBJ__FROM_GROU 
P request; remove object 
id from OMORIG 
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Database 
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Receive Object CREATE 
reolv Sienal to OMCD 






9 


VR created, return 
status to user 








10 




Send ACTIVATE object 
message to OMORI (2) 
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Receive ACTIVATE 
object message. For all 
the objects of this 
group send generic 
IOCTL 

ACTIVATEOBJECT 


Activate object, 
Do object-specific 
action to make it 
active, operational 



y3 
yi 




Figure^ VR Creation with Multiple Objects. 
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0 


Create unique 
vr_descriptor_t for 
specified VPN, fills 
with default value 
and adds VR to the 
list ofVRperVPN. 








1 


Requests group 
creation for specified 
VR with 
class_group_selector 
on specified address 
space. 








2 




Create group 1; create 
object id link of selected 
class. Validate address 
space id on capability to 
service specified object 
class. Send request 
CREATEOBJECT to 
capable OMORIs (1 and 
2). Wait for reply from 
both OMORIs. 






3 






Receive 

CREATEOBJECT 
request for specified 
group. Lookup a 
iroup; not fo^d. 

Create group 1; Create 
object descriptor of 
selected class. Call the 
class constructor. 




4 




Receive 

MV_OBJ_TO_GROUP 
request; add object id to 
OMORIG Database 


add object to the 
group, send 
MV_OBJ_TO_GROU 
P request to OMORIG 




5 








Create and 
initialize an 
object; return 
SUCCESS or 
FAILURE. 


6 






If FAILURE remove 
object from the group, 
send 

MV_OBJ_TO_GROU 
P and 
RM OBJ FROM GR 
OUP to OMORIG; 
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Else send reply for 
CREATEOBJECT 
request to OMORIG 



Receive 

MV_OBJ_TO_GROUP 
request, move object to the 
group 

0(OM_BASE__GROUP); 
Receive 

RM_OBJ_FROM_GROU 
P request; remove object 
id from OMORIG 
Database 



Receive Object CREATE 
reply. If all the object 
replied then signal to 
OMCD, otherwise do 
nothing 



VR created, return 
status to user 



Send ACTIVATE object 
message to every OMORI 
(1,2) where objects were 
created 



10 



11 



Receive ACTIVATE 
object message. For all 
the objects of this 
group send generic 
IOCTL 

ACTIVATE OBJECT 



12 



Activate object, 
Do object-specific 
action to make it 
active, operational 



5.2. VR Deletion 



fVj ML 



5.2.1. Multiple Objects 

Compliment operation to create VR with multiple objects in the group is to destroy such a VR. 
Destroy VR operation is shown on the Figure 16. Sequence of steps, describing this is in the 
Table 7. 
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Step 


OMCD 


OMORIG 


OMORI 


Object 


0 


For specified VPN 
and VR lookup 
vr_descriptor. Call 
OMORIG to delete 
corresponding group. 








1 




Lookup group descriptor 
by specified id. Filter 
OMORIs which have 
objects to be 
destroyed(which belong to 
the specified group) 






2 






Receive 

DESTROY_GROUP_ 
OBJECTS request for 
specified group. 
Lookup a group; Send 
generic IOCTL 
STOP_OBJECT to 
every local object, 
which belongs to the 
group 




3 








Stop operating, 
destroy all 
connections with 
other objects 
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4 






Send generic IOCTL 
DESTROYOBJECT 
to every local object, 
which belongs to the 
group 




5 








Free itself 


6 






If FAILURE remove 
obiect from the tn*our> 
send 

MV_OBJ_TO_GROU 
P and 
RM OBJ FROM GR 
OUP to OMORIG; 




7 




Receive 

MV_OBJ_TO_GROUP 
request, move object to the 
group 

0(OM_BASE_GROUP); 
Receive 

RM_OBJ_FROM_GROU 
P request; remove object 
id from OMORIG 
Database 
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Receive Object 
DESTROY J3ROUP_OBJ 
ECTS. Subtract number of 

dp strove H <Vhif*f*t<; from tVip 

total number of objects in 
the group (VR). If all 
objects destroyed then 
signal to OMCD, 
otherwise do nothing. 
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VR destroyed, return 
status to user 
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Control Blade redund^neysfCBR) designed to cje&e and maintain\^plicas of th^Master Cohtrol 
Blade managemepHnformahon on the Standjay Control Blades and^^sej0*rme case of failure 
of the cujjejjJt'Master and election of angw Master. The Control Ring normally elects the new 

Master. If the Control Ring detestioiwfiechanism fails a software-tased leader flection nrotofcol jj 

implemented by DML will elect the new Master. ^Jm^Jl0^ — <f J^Ju^^t^A^ 
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Figure^. Control Blade Redundancy 
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Figure/. CBR DUMP Standby State Transition Diagram 
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